General discussion of OpenCATS

Moderators: RussH, cptr13

Forum rules: Just remember to play nicely once you walk through the door. You can disagree with us, or any other commenters in this forum, but keep comments directed to the topic at hand.
By DRHarrison
#4824
We just had our annual Security penetration test, and OpenCATS was flagged due to the older versions of PHP, Apache, and OpenSSL from the XAMPP 5.6.28-1-VC11-installer we used with OpenCATS. Those older versions have vulnerabilities that were flagged.

Our OpenCATS install version 0.9.4-3 and is running on Windows 10

Is there a newer version of XAMPP that contains newer versions of PHP, Apache, and OpenSSL that is
compatible with OpenCATS?

Thanks!
User avatar
By RussH
#4830
Hi there,

yes, the version that should be released as prod shortly is php 7.2 compatible.

https://github.com/opencats/OpenCATS/re ... ag/0.9.5-3

Note that you should migrate carefully, ideally test migrate and do not do it on your prod system in the first instance. This is not PHP 7.4 compatible, those changes will be rolled into future releases.
By DRHarrison
#4832
Thanks Russ.

Any idea when the new release will be available for production?

Noted on the 7.2 version.

I will make sure to migrate in test first.
User avatar
By RussH
#4840
it's dependant on me getting my lazy/busy arse into gear and pushing the release. shouldn't be any code changes in there, I just need to merge Develop to Master, then release.
By DRHarrison
#5007
Checking again in 2021. Any updates on releasing the version that fixes the security issues?
Thanks,
Dennis
User avatar
By RussH
#5008
HI,

the PHP7.2 compatible version is released - it's at github.com/opencats/opencats/releases. As with all significant upgrades.. backup, install carefully in test, then migrate prod only when you're happy.

There are two open vulnerabilities;
1. malicious uploads (via the career portal, if you have it enabled). You need to ensure you have a sufficiently strong htaccess configured to prevent script execution in the upload directory. I'll post some guidance shortly.

2. an authenticated user can exploit some of the forms at the backend (in largely the same way). This is a lower severity as the user needs to already have a backend logon to opencats - however there is a patch that'll be released to mitigate this.
User avatar
By RussH
#5016
Okay, so this is a wiki entry for restricting file upload to certain filetypes only. I fully expect it'll need some clarification so feel free to contribute edits.. but basically it restricts directory listing and only permits particular filetypes.

https://github.com/opencats/OpenCATS/wi ... .htaccess)

these restrictions for the upload directory COULD be added to the single htaccess you (should) have in your webroot but to prevent a .htaccess file being uploaded to your upload directory I like to add this in separately to all the folders under the upload subdirectory, owned by root (so it can't be overwritten by a file from the apache user).. just in case someone manages to upload htaccess.txt as their CV/resume and then manages to rename it to .htaccess.

At the moment it restricts file uploads to (pdf, rtf, odf, doc, docx, txt, wpd). If you want images to be uploaded (e.g. photos for proof of ID) then this will have to be amended.

Note you will have to change syntax if you're running apache 2.2 or 2.4.. and of course you need to create your own if you're on nginx.

Last but not least - haven't tested this yet. WIll do though!!

It's essential to keep these synchronized to ensur[…]

Export part in Job Order order search

Same problem as mine. Maybe you're right, I'll che[…]

The error message you're encountering indicates th[…]

Errors restoring mysqldump backup

doesnot work for me